Linksys Router Patch May Not Stop TheMoon Worm

Experts said the remote-access protocol in home routers is inherently weak.

A worm called TheMoon, currently plaguing owners of Linksys routers, exploits such a simple remote-access protocol that a 2010 alert identified attacks on it as “Pushing the ‘Easy’ Button.”

Home-router vendor Belkin International has posted a workaround for the remote-access coding identified as the flaw, and has promised to release a firmware patch to eliminate the routers’ tendency to accept some remote-access admin credentials without checking to see if the passwords are valid.

Two vendors could have the same implementation problem with the same protocol, but the underlying issue is that HNAP is inherently insecure, enabled by default in home routers, and often can’t be disabled by home users to make their routers more secure, according to a 2010 analysis from Tenable Network Security called “HNAP Protocol Vulnerabilities – Pushing The “Easy” Button.” HNAP is designed to be quick and inexpensive for OEMs to build into their networking equipment, and make remote-access connections simple by allowing network devices to ask each other which of several methods of authentication they support, without requiring end users to understand the process at all, according to an explanatory white paper from former Linksys owner Cisco Systems.

However, HNAP requests have to follow the same IETF RFC 2671 BASIC authentication requirements as other home-router products, and can be required to use more-secure HTTPS TLS/SSL connections rather than HTTP.

Those are trivial improvements over the default HTTP, especially when considering the additional weaknesses of including default admin passwords and the share-everything, check-almost-nothing nature of HNAP, according to Tenable researcher Paul Asadoorian in the 2010 alert. Requiring some level of authentication is good, but calling BASIC “protocol security” is a “stretch,” Asadoorian wrote at the time.

BASIC requires that passwords be encoded in Base64, which means they’ve only been converted into a standardized format so they can be sent across a network and recognized by other systems, not that they’ve been encrypted to protect them. Base64 converts text into ASCII characters in a predictable format less likely to be corrupted by HTTP or network errors. But anyone or any device that knows the 64-character alphabet can decode a Base64 message easily, according to Hewlett-Packard security architect Daniel Miessler.

Encrypted text can only be decrypted using a specific decryption key. Using Base64 encoding is an improvement over other embedded management protocols such as Telnet and SNMP, which send credentials across the network in cleartext, but just barely, according to Asadooria, who is also founder and CEO of the SecurityWeekly podcast and security-community site and author of a list of papers on hacking embedded devices, especially wireless home routers..

“The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default. Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware. Customers who have enabled the Remote Management Access feature can prevent further vulnerability to their network, by disabling the Remote Management Access feature and rebooting their router to remove the installed malware. Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks.”

TheMoon worm works by connecting to port 8080 and requesting the url of the router’s HNAP interface, which gives it an XML-formatted list of the router’s firmware and features. Then it exploits one of four CGI scripts running on the routers using random “admin” credentials, credentials that are not verified due a flaw in the Linksys implementation, according to the SANS summary.

The second request launches a shell script that downloads a second stage payload the worm from port 193 from the attacking router, then scans for other routers to infect. It appears to bind to OpenSSL and attempts to use TLS/SSL connections, possibly to connect to a command & control server, according to SANS, though the code for that is not present in the version dissected.

“We do not know for sure if there is a command and control channel yet. But the worm appears to include strings that point to a command and control channel,” according to a SANS update posted Feb. 16, which warns that heavy outbound scanning on ports 80 and 8080 or inbound connection attempts on port numbers smaller than 1024 may be good indications the router is infected. An even better diagnostic is to send the following request to the router: echo “GET /HNAP1/ HTTP/1.1rnHost: testrnrn” | nc routerip 8080. “If you get the XML HNAP output back, then you MAY be vulnerable,” according to SANS researcher Johannes B. Ullrich, who wrote the initial alert.

Ullrich also wrote a snort rule to identify HNAP exploits. Two sample exploits have popped up since then. One, posted on Pastebin, lacks a shelldrop to make it functional, but is described by its author as the same basic script TheMoon uses to compromise the router. The other, posted on the exploit-db.com Exploit Database site under the tag Rew, lists models likely to be vulnerable identifies four CGI scripts that could be vulnerable, and is based on output of TheMoon binary but currently works only over a local area network. Due to “an iptables issue or something,” according to Rew. “Left as an exercise to the reader.”

HNAP is a remote-access management protocol based on the Simple Object Access Protocol (SOAP). It does require authentication, but other HNAP implementations have been identified with the same flaw as in the Linksys firmware, which allows HNAP/SOAP requests to pass without checking to see if the password is bogus, as in this description of a DLink HNAP vulnerability, to which the SANS report linked.

HNAP is designed to allow hardware OEMs to use a variety of access- and authentication techniques, according to Cisco’s documentation, and to make remote-access connections simpler by requiring devices to publish the list of SOAP commands they support in response to the kind of GetDeviceSettings queries identified in both the worm and the published exploits.